As mentioned earlier - I am a pretty worried man when I see our user awareness :-/ - and that's the reason I have been crying from the roof-tops (nooo, I didn't plant today's newspaper stories!!) :-) for safe computing!! My take: Use Proprietary or Open-Source - no problem. But use it safely!! That is, do not use pirated proprietary software (logic: if someone can subvert the key for piracy, they can easily put in a malware), and when using Open Source, don't download codes from unknown/non-validated repositories!!!
This mail is for awareness and information and is regarding the recent Google attack - and in brief!!
The Google attack was NOT about backdoors in Open Source software - but because of a vulnerability in Windows Explorer 7 browser on all windows platforms. The cyber attack has been called as Operation Aurora
Refer this web site: http://www.guardian.co.uk/technology/blog/2010/jan/20/google-china
And this: http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/
Wikipedia gives a nice account: http://en.wikipedia.org/wiki/Operation_Aurora
In an advisory on January 14, 2010, Microsoft said that attackers targeting Google and other U.S. companies used software that exploits a hole in Internet Explorer. The vulnerability affects Internet Explorer versions 6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4.
Brief on the attack can be found at Symantec site: http://www.symantec.com/connect/blogs/hydraq-attack-mythical-proportions
There is evidence to show that documents attached to an email message were a method of infection. There are also reports of an unpatched vulnerability in Microsoft's Internet Explorer, which allowed even fully patched computers to become infected once they were lured into visiting a website of the hacker's choosing.
Details of the attack is detailed at this site: http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html
The post describes functionality (static analysis) of the trojan that was reported in the recent targeted attacks against some large companies.
Trojan.Hydraq trojan is a DLL that runs as a service within the context of the system process svchost.exe.
In order to be executed within the process svchost.exe at the system startup, the trojan employs no injection techniques - this is achieved with the steps described below.
Firstly, the trojan registers itself as a system service RaS[4 random characters] by creating registry entries under the newly created key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]
Coming to the alarming part that I perceive is:
If your systems are not patched, they can be easily hacked as the particular attack methodology is now available as an exploit in the famous 'Metasploit' hacking software available as freeware and open-source!!! This means even a less savvy IT enthusiast who does not have much scripting knowledge can easily hack into systems if the particular Windows Explorer system is not patched urgently. High risk areas are domestic/community and office LANS serviced by ISPs.
Those effected do take necessary action!
(a) If confused about what steps to take - please start using Firefox or Google Chrome web browser for starters!!(b) Next worry about getting licensed application software - from MS-Office to Photoshop - or switch to Open Source software like OpenOffice, Gimp (Photoshop equivalent) etc. This site would be of some help: http://www.linuxalt.com/
Posts
